software node: bug fixes

[PATCH 2/2] software node: Correct a OOB check in software_node_get_reference_args()

Posted by Zijun Hu 10 months ago

From: Zijun Hu <quic_zijuhu@quicinc.com>

software_node_get_reference_args() wants to get @index-th element, so
the property value requires at least '(index + 1) * sizeof(*ref)' bytes.

Correct the check to avoid OOB access.

Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
---
 drivers/base/swnode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
index 67040fff99b02c43999b175c2ba7e6d04322a446..efaac07f8ba38fae55214b71c2ecee15b5a711b1 100644
--- a/drivers/base/swnode.c
+++ b/drivers/base/swnode.c
@@ -529,7 +529,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
 	if (prop->is_inline)
 		return -EINVAL;
 
-	if (index * sizeof(*ref) >= prop->length)
+	if ((index + 1) * sizeof(*ref) > prop->length)
 		return -ENOENT;
 
 	ref_array = prop->pointer;

-- 
2.34.1

Re: [PATCH 2/2] software node: Correct a OOB check in software_node_get_reference_args()

Posted by Sakari Ailus 10 months ago

On Thu, Apr 10, 2025 at 09:12:12PM +0800, Zijun Hu wrote:
> From: Zijun Hu <quic_zijuhu@quicinc.com>
> 
> software_node_get_reference_args() wants to get @index-th element, so
> the property value requires at least '(index + 1) * sizeof(*ref)' bytes.
> 
> Correct the check to avoid OOB access.
> 
> Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>

Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>

> ---
>  drivers/base/swnode.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
> index 67040fff99b02c43999b175c2ba7e6d04322a446..efaac07f8ba38fae55214b71c2ecee15b5a711b1 100644
> --- a/drivers/base/swnode.c
> +++ b/drivers/base/swnode.c
> @@ -529,7 +529,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
>  	if (prop->is_inline)
>  		return -EINVAL;
>  
> -	if (index * sizeof(*ref) >= prop->length)
> +	if ((index + 1) * sizeof(*ref) > prop->length)
>  		return -ENOENT;
>  
>  	ref_array = prop->pointer;
> 
> -- 
> 2.34.1
> 

-- 
Sakari Ailus

Re: [PATCH 2/2] software node: Correct a OOB check in software_node_get_reference_args()

Posted by Andy Shevchenko 10 months ago

On Thu, Apr 10, 2025 at 09:12:12PM +0800, Zijun Hu wrote:
> From: Zijun Hu <quic_zijuhu@quicinc.com>
> 
> software_node_get_reference_args() wants to get @index-th element, so
> the property value requires at least '(index + 1) * sizeof(*ref)' bytes.
> 
> Correct the check to avoid OOB access.

Any real traceback?

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH 2/2] software node: Correct a OOB check in software_node_get_reference_args()

Posted by Zijun Hu 10 months ago

On 2025/4/14 16:08, Andy Shevchenko wrote:
> On Thu, Apr 10, 2025 at 09:12:12PM +0800, Zijun Hu wrote:
>> From: Zijun Hu <quic_zijuhu@quicinc.com>
>>
>> software_node_get_reference_args() wants to get @index-th element, so
>> the property value requires at least '(index + 1) * sizeof(*ref)' bytes.
>>
>> Correct the check to avoid OOB access.
> Any real traceback?

no, find this issue during reading code.

Re: [PATCH 2/2] software node: Correct a OOB check in software_node_get_reference_args()

Posted by Andy Shevchenko 10 months ago

On Mon, Apr 14, 2025 at 07:12:27PM +0800, Zijun Hu wrote:
> On 2025/4/14 16:08, Andy Shevchenko wrote:
> > On Thu, Apr 10, 2025 at 09:12:12PM +0800, Zijun Hu wrote:
> >> From: Zijun Hu <quic_zijuhu@quicinc.com>
> >>
> >> software_node_get_reference_args() wants to get @index-th element, so
> >> the property value requires at least '(index + 1) * sizeof(*ref)' bytes.
> >>
> >> Correct the check to avoid OOB access.
> > Any real traceback?
> 
> no, find this issue during reading code.

Please, mention this in the commit message.

-- 
With Best Regards,
Andy Shevchenko